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1.  Introduction 


This  document  is  a  guide  for  users  of  Zadok,  the  Z  syntax  and  typechecker  developed 
by  the  SCEIP  Unit  at  RSRE.  It  is  assumed  that  users  of  this  tool  may  not  be  familiar 
with  the  Perq  computer  operating  with  the  Flex  system,  so  an  introduction  to  the  use 
of  Flex  is  given  m-Section  2.1.  Some  knowledge  of  Z  is  assumed. 

This  Guide  also  introduces  the  keyware  software  developed  by  the  SMITE  team  at 
RSRE  which  is  used  with  the  Z  tool.  Other  topics  covered  are  how  to  use  the  Z 
editor;  how  to  run  the  Z  typechecker  and  correct  errors  it  may  find  in  your  file  of  Z; 
and  how  to  print  your  file  using  a  PostScript  printer.  Section  6  discusses  two  issues 
relating  to  the  Z  language,  namely  the  differences  between  the  syntax  used  by  the 
typechecker  and  that  given  in  Spivey's  reference  manual  [Spivey88],  and  the  style  of 
language  adopted  by  the  typechecker. 

The  final  section  describes  some  known  problems  with  the  Z  tools,  including  the 
editor,  and  gives  advice  on  how  to  deal  with  these.  The  annexes  contain  the  Z 
symbols  used  by  the  editor,  and  what  they  mean,  the  Z  library  of  basic  mathematical 
constructs  used  by  the  typechecker  and  the  Z  syntax  used  by  the  tool. 

2.  Getting  Started  on  the  Perq 

2.1  Using  the  Flex  System 

The  Flex  system  provides  on-line  assistance  for  new  users  in  the  form  of  a  tutorial 
and  on-line  documentation.  When  the  Perq  is  switched  on,  there  is  an  introductory 
display  inviting  you  to  log  in.  Instructions  on  how  to  login,  and  explanations  of  the 
elementary  keyboard  operations  can  be  displayed  by  pressing  the  HELP  key  on  the 
top  left  of  the  Perq  keyboard.  Basic  terminology  like  puck  and  cursor  is  also 
explained.  There  is  a  user  called  guest  which  can  be  accessed  by  anyone  from  which  a 
tutorial  can  be  read  and  some  experiments  done  (note  the  tutorial  file  can  also  be 
accessed  from  any  user).  To  log  in  to  any  user  name,  for  example,  yourjiame ,  type 

()your_name! 

on  a  line  by  itself,  and  press  ENTER  on  the  keypad. 
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Other  on-line  documentation  may  be  reached  in  several  ways.  There  is  an  Edfile 
called  doc  which  is  shared  and  contains  documentation  on  common  modules  and 
procedures.  This  is  accessed  by  typing  the  name  doc  on  a  line  by  itself,  obeying  it  by 
pressing  Enter  on  the  keypad,  then  pressing  Examine  (the  centre  button)  on  the  puck. 
The  top  level  of  this  file  contains  a  cartouche  (box)  for  each  topic.  Examining  a 
cartouche  will  display  documentation  on  that  topic.  Information  may  also  be 
accessed  for  a  named  value  by  typing  info.name  on  a  line  by  itself,  pressing  ENTER 
on  the  keypad  and  then  Examine  on  the  puck. 

Pressing  the  HELP  key  on  the  keyboard  will  display  information  depending  on  where 
you  are.  It  is  usually  information  on  the  structure  you  are  pointing  to  with  the  cursor 
and  the  operations  which  may  be  performed  on  that  structure.  In  these  methods  the 
editor  is  being  used  to  examine  the  appropriate  Edfile.  Exiting  from  the 
documentation,  as  from  any  other  file,  is  achieved  by  pressing  Result  (the  right  hand 
button)  on  the  puck  or  Quit  (CTRL-LINE  FEED)  on  the  keyboard. 

The  command  interpreter  language  for  the  Rex  system  is  called  Curt  [Currie82].  The 
most  important  function  of  Cun  is  to  call  procedures.  These  procedure  calls  are 
expressed  in  reverse  Polish,  that  is,  an  expression  which  allows  the  parameter  to  be 
written  before  the  procedure  to  be  called  is  mentioned.  For  example,  a  procedure 
call  which  would  be  written  f(x)  in  normal  notation  is  expressed  in  Cun  by: 

xf! 

The  !  symbol  says  that  the  "thing"  immediately  before  it  (f)  is  a  procedure  and  the 
previous  "thing"  (x)  is  its  parameter.  Pressing  ENTER  (also  called  Obey)  evaluates  the 
procedure  and  returns  a  value  which  will  be  represented  on  the  screen  by  a  box 
drawn  around  the  procedure  call.  This  box  is  called  a  cartouche.  If  the  result  of  the 
procedure  call  is  something  that  can  be  displayed,  it  may  be  examined  by  pressing 
Examine  (the  middle  button)  on  the  puck  when  the  cursor  is  on  the  canouche.  If  you 
press  the  Undo  Cartouche  key  (5  on  the  key-pad)  while  the  cursor  is  on  the 
canouche,  one  level  of  evaluation  is  undone.  If  you  press  the  Mode  key  (1  on  the 
keypad)  while  the  cursor  is  on  a  canouche  the  symbols  in  the  box  will  be  replaced  by 
the  mode  of  the  value  that  the  canouche  is  standing  for. 

Values  may  be  named,  either  temporarily  or  permanently.  For  example,  there  is  an 
identifier  known  to  the  system,  a4_blank,  which  is  an  Edfile  (a  Curt  mode),  and  is  a 
blank  file  of  width  equivalent  to  that  of  a  piece  of  a4  paper,  and  capable  of  being 
extended  indefinitely  in  length.  Suppose  you  have  created  such  a  file,  by  typing 
a4_blank  on  a  line  by  itself  and  evaluating  it  by  pressing  ENTER  on  the  keypad.  To 
type  something  into  the  file,  press  Examine  on  the  puck  with  the  cursor  on  the 
canouche  representing  the  file.  This  takes  you  in  to  the  file,  and  automatically  calls 
the  editor.  Having  typed  in  some  text,  resulting  from  the  file  by  pressing  Result  (the 
right  hand  button)  on  the  puck  will  remember  the  changes  you  have  made  and  the 
cartouche  you  see  will  represent  the  changed  value.  If  you  quit  from  the  file,  by 
pressing  CTR!  -T  TNE  FEED,  the  changes  will  not  be  remembered  and  the  canouche 
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will  represent  the  old  value.  To  name  the  file,  bill,  say,  obey  the  following  command 
(that  is,  type  the  command  on  a  line  by  itself  and  press  ENTER  on  the  keypad) 


a4_blank  |  =  bill 

This  introduces  the  name  "bill"  as  a  temporary  name  for  the  file.  Typing  the  name  of 
a  value  on  a  line  by  itself  and  pressing  ENTER  will  give  you  a  cartouche  standing 
for  the  same  value.  Names  must  start  with  a  lower-case  letter  and  contain 
lower-case  letters,  digits  and  the  underline  symbol.  Temporary  names  will  last  for 
the  current  session,  and  if  you  re-use  the  name  for  something  else  the  later  value 
will  override  the  earlier  one.  To  name  a  value  permanently,  a  double  equals  "==" 
should  be  used  instead  of  the  single  equals  sign  for  temporary  names. 

When  you  log  in,  you  are  calling  the  procedure  your_name  with  a  void  parameter 
(written  ()),  which  creates  an  environment  for  you  to  work  in.  After  logging  in  for  the 
first  time,  it  is  advisable  to  create  a  password  for  your  user-name.  This  may  be 
achieved  by  obeying  the  following  command  (that  is,  type  the  command  on  a  line  by 
itself  and  press  ENTER  on  the  keypad) 

"fred"  make_password! 

which  will  create  the  password  "fred"  (using  the  procedure  make_password  with 
parameter  fred  (a  vector  of  characters)).  The  next  time  you  log  in  the  Perq  will  ask 
you  to  type  your  password  before  logging  you  in.  After  typing  the  password,  type  a 
full  stop  to  indicate  the  end  of  the  password  (not  RETRN  as  you  may  expect).  For 
more  information  see  the  information  file  info.make_password  on  the  Perq.  An 
initial  display  may  also  be  created,  which  will  be  displayed  each  time  you  log  in.  For 
more  information  see  info.initial_display  on  the  Perq. 

The  environment  of  use  is  defined  by  the  set  of  names  accessible,  and  these  are 
defined  by  the  set  of  dictionaries  available.  A  dictionary  is  a  value  of  Curt  mode 
Dictionary,  and  is  a  disc  reference,  that  is,  it  is  the  only  kind  of  value  in  filestore 
which  can  be  updated.  Each  dictionary  contains  the  association  between  names  and 
values,  the  set  of  Modules  belonging  to  the  owner  of  the  dictionary,  and  the  history 
of  alterations  to  the  dictionary  since  the  last  garbage  collection  of  the  disc.  One  of 
the  dictionaries  accessible  to  you  is  your  own  user  dictionary.  This  dictionary  can  be 
listed  by  obeying  the  following  command 

()show_dict! 


An  example  of  part  of  a  dictionary  is  shown  below. 


DISPLAY 

06/09/89 

17  48  33 

No  Info 

PASSWORD  | 

11/09/89 

1501  11 

No  Info 

amend 

16/02/89 

091146 

info.amend 

z_spec 

16/02/89 

11  21  44 

No  Info 
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Associated  with  each  value  is  the  date  and  time  it  was  last  updated,  together  with 
an  information  file,  if  one  exists. 


Removing  things  from  your  own  dictionary  involves  first  listing  the  dictionary  by 
using  the  show_dict  command.  To  delete  z_spec,  say,  place  the  cursor  on  the  line 
starting  with  that  name  and  press  the  Group  key  (6  on  the  keypad)  until  the  cursor 
covers  the  entire  line  (not  just  the  displayed  characters  and  cartouches).  The 
message  at  the  top  of  the  screen  should  be  "(Box)  Element  (n)  in  Vertical".  Then 
press  Delete  Element  (PF4  on  the  keypad)  to  delete  the  line  followed  by  Result  on 
the  puck  to  exit  from  show_dict.  The  name  is  not  finally  deleted  until  the  command 
tidy_dict  is  applied  to  the  result  of  the  edit  of  the  dictionary  by  typing  tidy_dict! 
immediately  to  the  right  of  the  cartouche  containing  Oshow_dict!  and  pressing  Enter 
on  the  keypad.  Old  versions  of  values  can  be  retrieved  from  the  dictionary.  For 
example,  to  recover  old  versions,  of  the  file  z_spec,  say,  obey  the  following  command 


"z_spec"  old_versions! 


which  will  display  all  versions  of  z_sDec  since  the  last  garbage  collection  of  the 
disk.  More  information  on  dictionaries  may  be  found  by  examining  the  file 


i  Environments,dictionaries 


in 


doc 


Another  dictionary  accessible  to  you  is  the  common  dictionary  which  contains  all 
named  values  that  are  shared  by  all  users.  To  list  this  dictionary  obey  the  following 
command 

()show_common! 

Most  of  the  entries  in  this  dictionary  have  an  information  file  associated  with  them. 
These  files  may  be  examined  in  the  usual  way  by  placing  the  cursor  on  the  cartouche 
and  pressing  Examine  on  the  puck. 

To  keep  the  results  of  a  session,  explicit  action  must  be  taken.  This  means  that 
values  should  be  named  permanently,  that  is,  using  two  equals  signs.  This 
name/value  association  will  then  be  automatically  added  to  your  dictionary.  More 
information  on  keeping  things  may  be  found  in  the  tutorial. 

Pressing  Result  on  the  puck  enough  times  will  log  you  out  back  to  the  introductory- 
display.  If  you  accidentally  log  out  without  saving  everything  you  need,  you  can 
recover  if  you  immediately  log  in  again  by  typing  your  user  name  followed  by  an 
exclamation  mark  to  the  right  of  the  cartouche  containing  ( )your_name\ .  This  returns 
you  to  the  display  as  it  was  when  you  accidentally  logged  out. 
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To  create  an  Edfile  in  which  you  can  write  a  Z  specification,  you  can  use  an 
a4_blank.  Alternatively,  obeying  the  following  command  will  give  a  file  of  a4 
width,  using  Propl6  font  (with  a  lead  of  3),  which  is  the  font  this  Guide  was  written 
in,  and  which  is  required  for  printing  a  file  of  Z  on  a  PostScript  printer  (see  Section 
7): 

((5,3),(630,0))make_file! 

This  will  give  you  an  empty  file,  initially  one  line  long  but  may  be  extended 
indefinitely  in  length,  and  pressing  Examine  on  the  puck  will  take  you  into  the  file. 
For  information  on  the  meaning  of  the  parameters,  see  the  file  info.make_file  on  the 
Perq. 

2.2  Installing  the  Z  Tools 

This  section  gives  a  brief  guide  for  managers  on  installing  the  Z  system  from  floppy 
disc. 

Before  installing  the  Z  tools,  two  common  users  must  be  created  in  manager,  called  r  and 
keyware.  Installation  uses  the  appropriate  user  name  and  consists  of  inputting  a 
floppy  disc  file,  reconstructing  it  and  obeying  the  Cun  lines  (the  ones  with  an 
exclamation  mark)  within  them.  For  information  on  reconstructing,  see 
info.make_reconstruct.  In  order  to  preserve  the  modules  and  allow  for  updating,  keep 
the  resulting  files  after  undoing  the  Cun  lines  if  necessary.  The  file  name  for  the  key 
compiler  is  keys  and  this  may  be  installed  independently  of  the  Z  system. 

To  install  the  Z  system,  it  is  necessary  to  install  the  Z  editor  first.  As  it  declares  the 
Z  pictures,  the  Cun  function  dec jjicture  Jns  must  have  been  obeyed  first.  The  file  is 
called  zedit  and  this  must  be  copied  in,  reconstructed  and  installed  before  any  other 
files  are  brought  in.  The  syntax  and  type  checker  is  split  into  two  files  called  ztcl  and 
ztc2  because  .t  occupies  more  than  one  floppy.  The  two  files  should  be  amalgamated 
before  reconstructing  and  installing.  The  file  zmisc  simply  contains  a  list  of  gblocks 
useful  for  Z,  suitable  for  editing  into  a  key  compiler  module  for  use  with  the 
gblockjchoose  function  (see  Section  3  for  more  information  on  the  Keyware  system). 

3.  Keyware 

The  key  compiler  system  provides  a  very  flexible  way  of  assigning  key  functions  to 
control  keys.  This  also  allows  certain  control  keys  to  produce  special  frequently 
used  characters  such  as  "a"  which  are  otherwise  not  available  from  the  keyboard. 
Other  keys  may  be  set  to  bring  up  a  table  of  special  texts  (a  gblock  menu)  from  which 
one  text  may  be  selected  by  placing  the  cursor  on  it  and  pressing  Select  (the  left 
hand  button)  on  the  puck.  For  the  Z  editor,  this  feature  is  used  to  introduce  schemas 
and  other  Z  texts.  Control  keys  may  also  be  set  to  bring  up  a  menu  of  useful 
functions,  from  which  list  one  may  be  selected  as  before.  An  example  of  this  is  the 
main  menu  produced  by  pressing  CTRL-a.  This  menu  also  gives  access  to  a  list  of 
information  files  concerned  with  modules  suitable  for  use  with  a  control  key. 
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An  Edfile  is  first  created  containing  the  required  keysetting  modules.  A  typical 
example  of  such  a  file  is  given  below. 

std_keys 


{  KEY  a  =  main  menu  } 
CHAR  A  s  "a" 


KEY  b* 

bold :  Module 

{  KEY  B  « 

Bottom  of  page  } 

KEY  c  * 

centre  :Module 

1 

KEY  C  =  [i 

uncentre  :Module 

KEY  D  = 

=  subscript  :Module 

KEY  e  = 

enclose  :Module  [ 

KEY  E  =  | 

unenclose :  Module 

KEY  f  = [ 

forbid_entry  :Module 

KEY  F  = 

=  unforbid_m  :Module 

KEY  g  = 

group_char  :ModuIe 

1 

help_group  :Module 

KEY  G  = 

j  group_word  .Module 

he!p_group  .Module  j 

CHAR i = "n" 


"Italic" 


KEY  j  *  justify  :Module  j 


{  KEY  k  =  list  of  keys  } 


KEY  J  = 


unjustify  :Module 


CHAR  m  =  "e  "  CHAR  M  =  "e  " 

CHAR  n  =  "-i"  CHARN  =  "KN" 

CHAR  o  ==  "v "  CHAR  P  =  "IP'  _ 

KEY  p  =  change_page  :Module  help_change_page  : Module 


{  KEY  P  usually  the  laser  printer  } 

CALL  q.Q  =  j  qchoose  :Module  j  "Choose  character  from  font" 


CHAR  t  =  "0 
KEY  u 


underline  :Module 


KEY  U  =  j  superscript  .-Module  j 


CHAR  v  =  "u"  CHAR  V  =  "U" 


APPLY  y  *  gblock_choos  :Module  |  z_gblocks  j  help_choose  :Module 


MENU  "Handy  Things"  x 


remove_dels  :Module 


"Remove  Dels" 


overline  :Module 


bcfore_para  :Module 


"Overline" 

Before  Para" 


unpara :  Module  "Unpara' 


para : Module  |  "Group  to  Para” 

"Edfile  to  Forbid" 


promote_file  tModule 


show  size :  Module 


"Show  size" 


FINISH 
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This  file  must  be  compiled  using  the  key  compiler,  by  obeying  the  following  | 

command 


Edfile 


kev_compiler! 


The  result  of  this  is  a  Compiledpair,  just  like  an  implementation  language  compiler. 
The  function  new  must  then  be  applied  as  follows 


Compiledpair 


new! 


This  will  produce  a  module,  called  stdjceys  (the  name  at  the  top  of  the  Edfile),  which 
should  then  be  used  as  the  parameter  of  the  function  keys  whenever  the  key  settings 
need  changing,  by  obeying  the  following  command: 


!  std_keys  rModule  keys! 


Pressing  ctrl-k  after  obeying  this  function  will  display  which  keys  have  been  set. 
Those  letters  which  have  a  blank  after  them  have  not  been  set.  Usin6  this  example 
will  produce  the  following: 

covfTKPL  j'uxpncy}# 


a  **  main  menu  ** 
b  bold 
c  centre 

d 

e  enclose 

f  forbi'-emry... 

g  gToup_char  j 

h 

i  n 

j  justify 

k  **  This  Help** 

I 

m  e 
n 


o  v 

P 


change_page 


n  Choose  character  from  font 


r 

s 

t  9 

u  underline 
v  u 
w 

! - 

x  j  Handy  Things 

y  j  Z_gblocks 


z 


A  A 

B  Bottom  of  Page 
C  uncentrc 
D  subscript 
E  unenclose 
F  upfQrbid.nL- 
G  |  group_word ' 

H 

I  Italic 
J  unjustify 

K 

L 

M  e 
N  KN 
O 

P  IP 

Q  Choose  character  from  font 

R 

S 

T  Top  of  Page 
U  superscript 

V  U 

w 

X  Repeat  Handy  Things 

Y 
Z 
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A  list  of  modules  suitable  for  using  in  the  key  setting  file  may  be  found  by 
examining  the  file  Key  procedu;-  inside 


Edfile  utilities 


which  may  be  found  in  jdoc  . 


4.  The  Z  Editor 


The  Z  editor  is  based  on  the  Flex  structure  editing  system  called  pictures.  It  uses  a 
special  Z  picture  to  represent  schemas  and  other  Z  boxes,  theorems,  w/iere-phrases,  and 
grouped  Z  text  as  required  for  indentation  and  global  constraints.  A  Z  picture  can  be 
incorporated  into  any  editable  structure.  In  preparing  a  specification  an  Edfile  in 
whateve  font  and  format  is  required  for  the  documentation  is  used  and  the  Z 
pictures  inserted  into  it.  Moving  the  cursor  into  a  picture  will  automatically  call  the 
Z  editor,  normally  this  immediately  re-calls  the  standard  editor  to  edit  the  text  of 
the  signature  or  predicate  as  the  case  may  be.  These  will  always  use  the  Z  font,  no 
matter  what  the  outer  font  is.  If  the  Z  structure  is  to  be  changed  (to  name  a  schema 
for  example)  the  Z  editor  must  be  invoked  directly.  This  can  be  done  by  pressing  the 
RETRN  key.  Alternatively,  the  Z  editor  may  be  invoked  by  the  use  of  the  Container 
key  (0  on  the  keypad):  press  this  repeatedly  until  the  message  at  the  top  of  the  screen 
displays  the  Z  structure  in  brackets,  for  example  "(Signature)  in  Z  box".  There  are 
three  specific  Z  editing  instructions  provided,  namely  insert  blank ,  insert  below ,  and 
help. 

insert  blank  (-  on  the  keypad):  if  the  structure  being  edited  is  either  a  signature  in  a  Z 
box  which  allows  a  name  or  generic  parameters,  and  these  are  not  currently  present, 
or  a  theorem  without  a  hypothesis,  an  empty  name  or  hypothesis  is  created  and  the 
cursor  moved  into  it.  If  the  structure  is  a  predicate  the  editor  beeps  and  does  nothing, 
otherwise  a  blank  line  will  b**  inserted  above  the  entire  Z  phrase. 

insert  below  (.  on  the  keypad):  if  the  structure  being  edited  is  a  signature  in  a  Z  box 
which  does  not  have  a  predicate,  a  blank  predicate  line  is  created  and  the  cursor 
moved  into  it.  Otherwise  the  editor  beeps  or  inr  .rts  a  line  below  the  entire  Z  phrase 
as  appropriate. 

help  (on  the  keyboard):  displays  a  help  file. 

The  Z  pictures  are  as  follows: 

_  Name _ , 

declaration 

_  Schema  box 

predicate 


declaration  Unique  Definition  box 
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declaration 


Vertical  rule 


|  predicate 

Y 

conclusion  Theorem 

predicate 

where  w/zere -phrase 

declaration 

Grouped  Z  text  (indicated  by  a  box  round  the  Z  text,  but  only 
[■ setl,set2 ]  when  it  is  being  edited) 

Anything  not  in  one  of  these  pictures  will  be  treated  as  surrounding  text  and  ignored 
by  the  syntax  and  typechecker. 

There  is  one  special  key,  namely  the  LINE  FEED  key,  which  has  a  special  meaning. 
It  corresponds  to  a  "hard  new  line",  or  vertical  list  separator  in  Z.  The  effect  of 
pressing  this  key  is  to  add  a  small  invisible  separator  to  the  bottom  of  the  current 
signature,  predicate  or  Z  phrase  and  to  start  a  new  line  of  characters.  This  separator, 
called  a  white  bar,  can  be  detected  by  placing  the  cursor  between  two  lines  separated 
in  this  way.  The  message  "(White  Bar)  Element(n)  in  Vertical"  will  appear  at  the 
top  of  the  screen.  Note  that  the  white  bar  is  always  added  to  the  bottom  of  the  Z,  so 
must  be  deleted  and  inserted  if  it  is  required  any  where  else.  Only  one  hard  new  line 
must  be  used  between  lines  of  Z,  else  the  typechecker  will  report  an  error. 

5.  Using  the  Typechecker 

Having  edited  a  Z  specification,  the  next  stage  is  to  carry  out  syntax  and  type 
checking.  This  section  deals  with  the  practical  aspects  of  how  to  call  the 
typechecker,  and  the  sort  of  results  to  expect.  It  explains  how  the  tool  displays  error 
messages,  the  son  of  messages  to  expect  and  how  to  correct  errors. 

5.1  Running  the  Typechecker 

Calling  the  typechecker  is  a  straightforward  operation,  and  simply  involves  applying 
the  function  called  z  to  an  Edfile  which  contains  Z,  by  obeying  the  following 
command: 

Edfile  z! 

Errors  in  the  Z  specification  will  cause  the  typechecker  to  report  faults  using  the  Z 
editor  as  described  in  the  following  section.  An  error-free  specification  will  result  in 
either  the  original  file  or  a  Compiledpair  in  the  case  where  the  specification  ends  with 
a  keeps  statement.  In  the  latter  case  the  Compiledpair  may  be  converted  into  a  module 
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by  using  the  new  function  or  used  to  amend  an  existing  module.  The  use  of  modules 
is  further  explained  in  section  5.4. 

5.2  Error  Messages 

There  are  two  types  of  error  messages,  those  relating  to  syntax  errors,  and  those 
relating  to  type  errors.  Syntax  errors  all  have  the  same  format,  and  are  best 
illustrated  by  example.  Consider  the  following  pan  specification  of  a  library  system. 
This  library  uses  two  given  sets,  BOOK  and  PERSON  to  represent  all  the  books  in  the 
world,  and  all  the  people  in  the  world  respectively.  Suppose  we  had  typed 

[BOOK;  PERSON] 

with  a  semi-colon  rather  than  a  comma  separating  the  two  given  sets.  The  Z  tool 
will  place  the  cursor  on  the  offending  semi-colon,  and  display  the  message 

"Syntax  error,  found  semi-colon,  expecting  comma  or  c  square  brkt" 

at  the  top  of  the  screen.  In  this  message,  "c  square  brkt"  is  an  abbreviation  of  "close 
square  bracket”  ("]").  The  words  in  bold  give  the  format  of  all  syntax  error  messages. 
If  there  are  several  possible  symbols  expected  in  place  of  the  one  found,  then  the 
error  message  will  be  longer  than  it  is  possible  to  display  at  the  top  of  the  screen.  In 
this  case,  the  message  will  appear  in  a  box  one  line  of  text  high,  and  as  long  as 
necessary,  which  is  likely  to  disappear  off  the  right  of  the  screen.  In  this  case,  the 
complete  message  may  be  read  by  scrolling  along  the  box  using  either  the  right 
arrow  key  or  by  holding  the  select  button  on  the  puck  down  and  moving  the  arrow  on 
screen  to  the  right  of  the  message  box. 

There  is  a  variety  of  possible  error  messages  resulting  from  a  typechecking  error.  As 
an  example,  suppose  the  library  specification  continues  with  the  following  schema 
representing  the  state  of  the  library: 

_  Library _ 

borrowers  :  fP  PEOPLE 
books  :  IP  BOOK 
books  on  shelves  .  IP  BOOK 
on  Joan  :  BOOK  ■+>  PEOPLE 

dom  on  Joan  n  books  _on_shelves  -  0 
dom  on  Joan  u  books  _on_shelves  -  books 
rng  on  Joan  c  borrowers 


The  typechecker  would  find  2  errors  in  this  schema.  The  first  would  be  in  the  line 
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borrowers :  IP  PEOPLE 


the  cursor  would  be  placed  on  the  "E  "  of  "PEOPLE"  and  the  message  "Identifier 
PEOPLE  undeclared"  would  appear  at  the  top  of  the  screen.  The  second  error  is 
found  in  the  line 

on_loan  :  BOOK  ■+>  PEOPLE 

and  the  cursor  placed  on  the  "E"  of  "PEOPLE".  The  message  at  the  top  of  the  screen 
would  this  time  be  "Incorrect  type  for  instantiation".  The  source  of  both  of  these 
messages  is  the  fact  that  PEOPLE  has  not  been  declared  anywhere.  The  second 
message  reflects  the  fact  that  the  typechecker  is  trying  to  instantiate  ■+>,  as  this  has  been 
defined  with  generic  parameters  in  the  Z  library,  and  PEOPLE  is  not  a  type.  Note  that 
the  typechecker  usually  places  the  cursor  on  or  after  the  error.  Now  suppose  that  the 
library  specification  is  further  developed  by  adding  the  following  schema  to  describe 
the  operation  of  borrowing  a  book: 

Borrow _ 

p? : PEOPLE 
b?  :  BOOK 
Library;  Library' 

p?  e  borrowers 

b?  e  books _on_s helves 

books _on_shelves'  =  books  _on_shelves\  {b?) 

borrowers'  =  borrowers 

books'  =  books 

on  loan'  =  on  loan  u  {b?  *->  p?} 


The  typechecker  will  again  find  fault  with  PEOPLE ,  this  time  for  two  reasons:  one, 
that  it  has  not  been  declared,  and  two,  that  it  is  not  a  type,  which  is  required  in  this 
position.  This  leads  to  two  messages,  which,  as  there  is  not  enough  room  at  the  top 
of  the  screen  for  two  lines,  appear  in  a  box  in  the  main  part  of  the  file,  immediately 
above  the  error.  These  messages  are  "Identifier  PEOPLE  undeclared"  and  "The  term 
given  is  not  a  type". 

In  the  case  where  the  typechecker  gives  a  message  which  includes  the  name  of  the 
offending  identifier,  then  this  will  not  include  any  decoration,  such  as  ',?,  or  !.  This 
means  that  it  could  be  referring  to  the  identifier  itself,  or  a  decorated  form  of  the 
identifier.  It  is  important  to  note  that  the  error  messages  do  not  themselves  use  the  Z 
font,  so  if  the  identifier  causing  an  error  uses  a  symbol  not  available  in  the  message 
font,  a  blank  will  appear  in  the  message  instead  of  the  actual  identifier. 
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5.3  Correcting  Errors 


Errors  may  be  corrected  one  at  a  time,  using  the  tab  key  to  progress  through  the  file. 
Care  should  be  taken  as  some  errors  may  be  consequential,  that  is,  by  correcting  one 
error  several  later  errors  may  be  corrected  automatically.  This  often  occurs  with 
errors  in  defining  a  schema,  as  wherever  that  schema  is  used  later  on,  the 
typechecker  will  not  recognise  it  which  will  result  in  several  consequential  error 
messages.  Another  example  of  this  is  in  the  library  specification  of  section  5.2 
above.  If  the  first  (syntax)  error  prompted  a  change  to  [BOOK,  PEOPLE ],  then  none  of 
the  other  errors  would  require  any  action. 

Correcting  errors  is  simply  a  matter  of  editing  the  file.  However,  the  typechecker 
will  mark  a  line  containing  an  error  which  has  the  effect  that  if  correcting  the  error 
requires  any  symbol  from  the  Z  gblock  menu  to  be  chosen,  then  it  will  not  be 
inserted  immediately  before  the  cursor  but  will  instead  be  placed  at  the  beginning  of 
the  line.  This  is  an  unfortunate  feature  of  the  Flex  editor.  To  overcome  it,  there  is  a 
key  procedure  called  unsetjnark,  which  can  be  used  with  CTRL- a  or  to  define  a 
control  key,  which  will  remove  the  mark  from  the  line  and  allow  it  to  be  edited 
normally. 

in  "die  case  where  the  error  message  appears  in  a  box  in  the  main  part  of  the  text,  the 
result  button  on  the  puck  must  be  clicked  to  free  the  cursor  and  put  it  back  in  the 
main  body  of  the  file  before  attempting  to  correct  the  error,  and  also  before  using  the 
tab  key  to  go  to  the  next  error.  When  all  errors  have  been  found,  the  message 
"Nothing  found"  will  appear  at  the  top  of  the  screen.  The  file  should  then  be 
typechecked  again,  and  the  process  repeated  until  the  specification  is  correct. 
Please  note  that  just  because  a  specification  has  been  successfully  typechecked  it 
does  not  mean  that  the  specification  is  consistent  or  that  it  specifies  what  was 
required. 


5.4  Modules 

Modules  of  Z  are  a  means  of  structuring  specifications.  They  allow  large 
specifications  to  be  built  up  and  typechecked  gradually,  and  also  provide  for  some 
reusability  of  Z  specifications.  A  module  is  formed  by  adding  a  keeps  statement  to  the 
end  of  a  specification,  which  has  the  form 

module  name  keeps  idl,  id2,  id3 

where  the  identifiers  that  appear  in  the  keeps  list  are  those  which  will  be  visible 
outside  the  module.  This  statement  must  be  inside  a  grouped  Z  text  picture. 

For  example,  suppose  we  have  corrected  the  library  specification,  and  wish  to  make 
it  into  a  module  so  that  it  may  be  used  as  part  of  a  larger  specification.  The 
identifiers  we  wish  to  keep  are  BOOK ,  PEOPLE,  Borrow,  and  Library,  and  we  will  call 
the  module  library.  The  specification  is  as  follows: 
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[BOOK,  PEOPLE ] 


_  Library _ _ _ _ 

borrowers :  IP  PEOPLE 
books :  IP  BOOK 
books _on_shelves  :  IP  BOOK 
onjoan  :  BOOK  ■+>  PEOPLE 

dom  onjoan  n  books _on_shelves  =  0 
dom  onjoan  u  books _on_s  helves  =  books 
rng  onjoan  c  borrowers 


_  Borrow _ 

p?  :  PEOPLE 
b?  :  BOOK 
Library;  Library’ 

p?  e  borrowers 

b?  e  books _on  shelves 

books  _on_s  helves'  =  books  on  shelves  \  {b?} 

borrowers'  =  borrowers 

books'  =  books 

on  loan'  =  onjoan  u  {b?  ^  p?} 


library  keeps  BOOK,  PEOPLE,  Borrow,  Library 


The  result  of  typechecking  this  specification  will  be  a  Compiledpair,  and  this  may  be 
seen  by  pressing  the  mode  key  (1  on  the  keypad).  The  function  new  should  then  be 
applied  by  obeying  the  following  command: 


Compiledpair 


new! 


A  module  will  result,  and  pressing  the  mode  key  again  will  produce: 


library  :Module 


Modules  of  Z  may  be  incorporated  into  other  files  of  Z  by  listing  them  at  the  top  of 
the  new  file.  Any  number  of  modules  may  be  listed,  and  an  empty  Z  phrase  must  be 
put  at  the  bottom  of  the  list  (below  the  last  module).  Any  identifier  appearing  in  the  keeps 
list  of  one  of  the  modules  may  then  be  used  in  the  new  file.  It  is  important  to  note 
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that  all  identifiers  required  must  be  in  the  list,  including  all  branches  of  datatype 
definitions.  Keeping  the  name  of  a  datatype  will  not  automatically  keep  all  its 
components. 


A  Compiledpair  may,  instead  of  having  the  function  new  applied  to  it  to  create  a  new 
module,  be  used  to  amend  an  existing  module.  The  form  of  this  command  is 


Compiledpair  library  :Module 


amend!! 


For  further  information  on  the  amend  command,  see  the  information  file  info.amend 
on  the  Perq  (which  also  gives  information  on  modules  and  other  functions  which  may 
be  applied  to  them).  An  alternative  to  amend  is  the  function  change_spec,  which  must  be 
used  in  the  case  where  the  keeps  list  has  been  altered  or  the  type  of  any  identifier 
changed.  The  format  of  the  command  line  is  the  same  as  for  amend,  however  all 
occurrences  of  the  module  changed  will  be  flagged  as  "untidy".  This  may  be  checked 
by  pressing  the  Mode  key  (1  on  the  keypad)  with  the  cursor  on  an  occurrence  if  in 
doubt.  Every  (untidy)  occurrence  must  be  tidied  using  the  procedure  tidyjnodule.  See 
info.tidy_module  for  more  information.  Any  specification  which  uses  a  module 
which  has  been  changed  using  amend  or  changespec  will  need  to  be  re-typechecked. 


6.  Language  Issues 


The  Z  syntax  used  by  the  Z  tool  is  based  on  that  of  King  et  al  [King87],  and  is  different 
in  some  respects  from  that  published  in  [Spivey89].  This  section  describes  some  of  the 
main  differences  between  the  syntaxes,  and  also  discusses  some  features  of  the 
language  as  used  by  the  Z  tool.  The  type  checking  and  scope  rules  of  Z  as  used  by 
the  syntax  and  typechecking  tool  have  been  formally  specified  in  Z,  and  the 
interested  reader  is  referred  to  [Sennett87]  for  details. 

6.1  Differences  with  Reference  Manual  Z 


There  are  3  major  differences  between  the  syntax  used  by  the  tool  (see  Annex  C)  and 
that  of  the  Reference  Manual,  namely  the  use  of  theorems,  where  phrases  and  modules 
by  the  typechecker  which  are  not  part  of  the  Reference  Manual  Z. 

Theorems  take  the  form 


hypothesis 

► 

conclusion 


and  asserts  that  the  conclusion  may  be  derived  from  the  hypothesis.  The  symbol  V  is 
called  a  turnstile.  This  construct  is  often  used  for  stating  proof  opportunities. 

The  hypothesis  may  be  empty,  which  is  equivalent  to  true,  or  a  list  containing  any 
number  of  predicates  (which  include  schema  references),  declarations,  and 
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declarations  bar  predicates.  The  items  in  the  list  are  separated  by  either  semi-colons 
or  hard  new  lines.  The  conclusion  of  a  theorem  is  a  predicate. 

where- phrases  are  a  type  of  existential  quantification,  and  take  the  form 


Predicate 

where 

Declaration 

The  predicate  part  of  a  where -phrase  is  a  list  of  predicates,  while  the  declaration  pan 
may  have  one  of  the  following  forms:  a  list  of  syntactic  definitions  separated  by 
semi-colons  or  hard  new  lines;  one  declaration  bar  predicate;  or  a  vertical  rule.  As 
an  example,  consider  the  following  where -phrase: 

predicate 
where 
I  x:X 


I  P(x) 

This  is  equivalent  to 
3  x  :  X  |  p(x)  •  predicate 

where -phrases  are  particularly  useful  in  the  predicate  part  of  schemas,  however  care 
must  be  taken  with  the  scoping  of  variables  introduced  in  the  the  declaration  part  of 
a  where- phrase,  as  such  variables  only  have  scope  within  the  predicate  part  of  the 
w/jere-phrase  in  which  they  were  introduced. 

Modules  have  been  introduced  as  a  means  of  structuring  Z  specifications,  much  like 
using  separately  compiled  pieces  of  code  to  build  up  a  large  computer  program.  See 
section  5.4  for  details  on  how  to  create  and  use  modules. 

A  further  difference  with  Reference  Manual  Z  is  the  omission  of  bags  from  the 
syntax  used  by  the  Z  tool.  These,  together  with  operations  on  them,  can  be  defined 
by  the  user  if  required.  The  most  convenient  way  is  by  creating  a  module  which  can 
then  be  incorporated  into  any  specification  which  requires  it.  It  is  also  worth  noting 
that  the  horizontal  form  of  schemas  is  also  not  allowed  by  the  typechecker. 


6.2  Common  Causes  of  Errors 


The  purpose  of  this  section  is  to  list  some  of  techniques  of  writing  Z  adopted  by  the 
typechecker  which  should  help  to  diagnose  some  of  the  more  common  errors.  The 
incorrect  matching  of  brackets  often  causes  problems,  with  the  error  message 
"Incorrect  type  for  function  application  or  relation"  being  the  most  likely  result. 
Another  common  problem  is  caused  by  the  incorrect  use  of  the  hard  new  line  -  it  is 
easy  to  leave  one  at  the  bottom  of  a  Z  phrase,  or  to  use  two,  one  under  the  other.  In 
either  case  a  syntax  error  will  result,  however  the  cursor  will  be  placed  before  the  extra 
hard  new  line  by  the  typechecker  not  after  the  error  as  is  usually  the  case.  Other 
things  to  watch  out  for  are: 

1.  Cross-products.  When  using  cross  products  in  signatures,  they  must  always  be 
bracketted,  for  example 

P  [X,  Y  ]  =— | 

fst :  (X  xY)  -*X 


2.  Infix  functions  and  relations.  When  declaring  the  type  of  an  infix  function, 
brackets  must  be  used  round  the  function  name  and  placeholders.  However,  brackets 
must  not  be  used  when  declaring  an  infix  relation,  for  example 

[Xf  Y )  : -  ==q 

(_»  J:<XxY)->(XxY) 


is  a  function,  and 


=  [X]  =  ■  =t 

_ i 


is  a  relation. 

3.  Inverse.  There  is  a  special  symbol  for  functional  inverse,  namely  -1,  so  superscripting 
is  not  required  for  this.  (Superscripts  may  be  used  for  iteration  and  user-defined 
operators.) 

4.  Renaming  and  instantiation.  Lists  for  renaming  and  instantiation  must  be 
subscripted,  for  example 

_  Schemal 
n.KN 
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Schema2  &  Schemal 


[m!n\ 

5.  Symbol  overloading.  Symbols  may  not  be  overloaded,  that  is,  used  more  than  once 
with  different  meanings. 


7.  Printing  a  File  of  Z  Using  the  PostScript  Printer 


In  order  to  print  a  file  containing  Z  on  the  Apple  LaserWriter  II,  the  outermost  font 
of  the  file  must  be  Propl6  (that  is,  font  (5,lead)).  If  the  file  was  created  using  a 
different  font,  then  it  must  be  changed,  and  obeying  the  following  command  (which 
uses  a  lead  of  3)  will  achieve  the  desired  result: 


6  Edfile  ,  (5,3))  change_font! 


For  further  information  on  this  command,  use  the  information  file  info.change_font 
on  the  Perq. 


In  order  to  print  a  file,  it  must  first  be  put  inside  another  Edfile,  an  a4_blank  for 
example.  Alternatively,  there  is  a  prepared  file,  called  an  Apple  blank  which  contains  a 
Prop  16  file  inside  another  Prop  16  file.  The  inner  file  is  then  used  for  writing  Z. 
Obeying  the  following  command  will  convert  the  required  file  into  the  PostScript 
format,  and  then  send  it  to  the  Apple  LaserWriter  to  be  printed: 


(Ja4_blankj,  12)  postscript!  apple_send! 


The  number,  12  in  this  example,  determines  the  size  of  the  printed  characters  in 
points.  The  smaller  the  number  the  smaller  the  print.  This  Guide  was  printed  using 
12. 


More  than  one  file  can  be  printed  at  a  time  if  required.  This  is  particularly  useful  for 
printing  chapters  or  sections  of  a  document  each  prepared  in  its  own  file,  as  each  file 
is  started  on  a  new  page,  and  the  pages  numbered  consecutively.  It  is  achieved  by 
putting  all  the  files  in  a  vertical  list  in  the  required  order  inside  the  outer  Edfile,  and 
obeying  the  same  command  as  before. 

It  should  be  noted  that  the  program  used  for  printing  Z  as  described  is  under 
development  -  caveat  emptor. 

8.  Known  Problems 

This  section  lists  the  known  problems  with  the  Z  editor  and  typechecker,  and  offers 
advice  on  how  they  may  be  overcome.  If  you  discover  any  problems  not  listed  here, 
please  inform  the  author. 

1.  Modules  inside  a  Z  phrase.  The  problem  here  involves  the  editor,  and  occurs  when 
a  single  module  is  placed  inside  a  Z  phrase.  If  the  cursor  is  on  the  module,  and  the 
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right  arrow  used  to  move  to  the  right,  then  the  editor  enters  an  infinite  loop.  The 
visible  sign  of  this  is  the  cursor  disappearing,  and  a  flickering  of  the  module 
cartouche.  Pressing  CTRL  REJ/DEL  (break  in)  stops  the  looping,  unfortunately  all 
editing  done  since  the  last  save  is  lost. 

2.  Overwriting  the  schema  box.  The  problem  here  involves  the  display,  and  may 
occur  when  inserting  elements  into  schemas  where  the  schema  contains  a  where 
phrase.  The  remembered  element  may  be  inserted  over  the  bottom  line  of  the 
schema  box,  that  is,  the  bottom  line  is  overwritten.  Using  insert  remembered 
horizontal  rather  than  vertical  sometimes  solves  the  problem,  otherwise  inserting  a 
line  at  a  time  may  help.  If  all  else  fails,  the  Z  will  have  to  be  retyped  in  the  required 
place. 

3.  Deleting  structures.  The  problem  which  arises  in  this  case  occurs  when  a  whole 
section  of  a  Z  picture,  say  the  declaration  part  of  a  schema  box,  is  deleted.  If  an 
attempt  is  made  to  put  the  cursor  in  the  empty  space,  the  cursor  will  disappear  and 
the  message  "(White  Bar)  Signature  in  Z  Box"  will  appear  at  the  top  of  the  screen. 
Typing  something  then  pressing  right  arrow  (top  right  of  the  keyboard)  will  remove 
the  white  bar  and  restore  the  line. 

4.  Using  the  typechecker  in  conjunction  with  the  sketches  software.  If  a  sketch 
appears  in  a  file  containing  Z,  then  when  typechecked  the  Z  tool  will  stop  on  the 
sketch.  The  TAB  key  must  be  pressed  to  move  on.  This  applies  when  using  forbids, 
too. 

5.  Inverse.  If  a  functional  inverse  symbol  is  placed  next  to  a  left  image  bracket,  that 
is,  -1l,  without  an  intervening  space,  the  typechecker  will  report  an  error  with  the 
message  "identifier  undeclared". 
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Annex  A  -  The  Z  Symbols 


This  annex  gives  a  list  of  symbols  for  Z,  together  with  their  meaning. 

Symbol  Meaning 

£  Schema  definition 

«  Left  angle  bracket  (for  datatype  definitions) 

»  Right  angle  bracket  (for  datatype  definitions  and  for  piping) 

-i  Not 

a  And 

v  Or 

=$  Implication 

Equivalence  (if  and  only  if) 

V  For  all 

3  There  exists 

3 j  There  exists  (unique) 

•  Then 

e  Set  membership 

x  Cartesian  product 

P  Power  set 

g  Forward  composition 

©  Overriding 

*  Not  equals 

n  Intersection 

u  Union 

C  Subset 

c  Proper  subset 

«  Not  member 

H  Distributed  intersection 

U  Distributed  union 

F  Finite  set 

0  Empty  set 

Relation 

<  Domain  restriction 

<  Domain  subtraction 

>  Range  restriction 

►  Range  subtraction 

(  Left  image  bracket 

)  Right  image  bracket 

_1  Inverse 

Maplet 

N  Natural  numbers 

;>  Greater  than  or  equals  to 

£  Less  than  or  equals  to 

Concatenation 

1  Range  restriction  (for  sequences) 
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{  ~  Left  sequence  bracket 

)  Right  sequence  bracket 

V  Turnstile 

Partial  function 
Total  function 
Finite  function 
Partial  injection 
Total  injection 
Finite  injection 
Partial  suijection 
Total  suijection 
Bijection 
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GENERALIZED  UNION  AND  INTERSECTION  PROJECTION  FUNCTIONS  FOR  PAIRS 


Ft*] 


U,n  :PPX->PX 


V  A  .  fp  IP  X 

•  UA  *  {jc:X|(3SM*jc€  S)} 
HA=  [x:X\ (VS:A»xe  SJ} 


=  [X,  Y]  =  ===== 

fst  :(XxY)^>X 
snd  :(XxY)^>Y 

V  x :  X;  y :  Y  •  /srfx,  y)  =  x  a  indfx,  yj  =  v 


RELATIONS 

MAPLET  DOMAIN  AND  RANGE 


IDENTITY  RELATION 
F  t*]  ========= 

MX  =={*■' *•*»*} 


RELATIONAL  COMPOSITION 

=  [X,  Y,  Z]  ■  =  :  = . -  ■  . =  =| 

(J J  ;  ((X  <~>Y)  x(Y  <r~>  Z))-*(X  <-»  Z) 

V  R  :  X  <r>  Y;  S  :  Y  Z 

•RSS  =  {jc  / X; y  :  K,  2  ; Z |  rtfr, y)  a  Sfy,  2j  •  x  »  z} 

-  -  —  1 
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RESTRICTION  OPERATORS 


=  [X,  Y)  =—  — 

( _<J  :  (W  X  x  (X  Y))-*(X  <-»  Y) 
(V  J  :  ((X  «-»  Y)  x  P  Y)->(X  Y) 


VS.IPX;/?.X<->y 

•  S  4  /?  =  {a: :  X;  y  ;  Y  |  x  «  S  a  y)  •  a:  y} 
v/?.XHy,T.Py 

{x  :X;y;Y\R(x,y)Ay*  T*x»y) 


RELATIONAL  INVERSION 


=  [X,  Y]  —  ■  --  ■■  - - 

__1 :  (X  «-»  Y)-*(Y  <-»  X; 

V  R  :X<->  Y'R~'=  {x:X;y :  Y \R(x,y)  x) 


RELATIONAL  IMAGE 

=  [X,  Y)  =  - . 

_I_I :  ((X  <->  Y)  x  IP  X)  -»  P  X 

VR:X^>  Y;S:PX 
*  fllSJ  =  {*  ;  X;  y  :  Y  \  x  e  S  a  R(x,  y)  •  y} 


TRANSITIVE  CLOSURE 


_+,  _* :  (T «-»  T)—>(T  «-*  7) 

V  R:T<*  T 

'R+  =  C\{Q:T<r>T\RzQAQ*9Q<zQ} 

A/?*  =  /?+ui^r 
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=  [X,  Y]  - - = 

X-*>Y==  {f:X*r>Y 

I  V  x :  X;  yp  y2  :  Y  *f(x,  y})  a  f(x,  y2)  =$y]=y2 

} 


INJECTIONS 

=  [X,  Y)  ===== - . .  = 

==  {f  :X-**Y  |  V  Xj,x 2  :  dom f*fxl  =fx2  =$  x}  =  x2} 
X»Y  ==  (X>»Y)  n  (X-*Y) 


SURJECTIONS  AND  BUECTIONS  FUNCTIONAL  OVERRIDE 


F  [X,  Y) 


1  F  t*> 


X-^Y=  =  {f:  X+>Y  |  rngf=  Y} 
X-»Y  ==  (X+»Y)  n  (X->Y) 
X>»Y  ==  (X^Y)  n 


(_e  j:  ((x-»Y)  x  (x-»y))->(x-»y) 


Vf,g  :X-»Y*f@g  =  ((domg)if)  u  g 


NUMBER  RANGE 


I 

(_..J  :(2*2)->P2 

V  a,  b:2»  a..b  =  {k  :ZL\a<,k<.b) 

-  ■ 

FINITE  SETS  AND  CARDINALITY 

=  [*]= . .  == . .  ,  = 

F X  ==  {5  :WX  |  3  n  : IN  •  3/;  l..n— >5  •  rngf  -  S } 

F/X==FXnF;X 


=  IX]  = . — . ==■: . . = 

#_  ;  F  X  -*  N 

V  S  :  F  X  ~  __ 

•  #5  =  ^  n  :  IN  |  3/:  l..n>-*S  •  rngf  =  S  •  n 


FINITE  PARTIAL  FUNCTIONS  AND  INJECTIONS 

=  [X,  Y]  ~ -  -  | 

W==  {f:X-»Y\domf*  F X} 
X>*>Y  ==  (X-Vr>Y)  n  (X>»Y) 


SEQUENCES 

=  [*]==  —  =— 
seqX  ==  {f:M-»>X\domf=  1  ..Uf] 
seqfX  ==  {f:seqX\Uf>0} 


MAXIMUM  AND  MINIMUM 

min  ==  X  S  :  P }  Zi  •  m  :  S  |  V  n  :  S  •  m  <;  n  •  m 
max  ==  \S  .IP •  |im  :  5  |V  n  :  S  •  m>  n  •  m 

SEQUENCE  DECOMPOSITION 
=  [X]  ===== 
hd,  last :  seq}  X  — >  X 
tl,  front :  seqjX—*  seq  X 

V  s : seqjX 
•  hds  =  s  1 
a  last s  =  s#s 
a  tls  =  succ  $  (2  ..  Us  <  s) 
a  front  s  =  l..(Us-l)  <  s 
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CONCATENATION 

F[X]=  -  ==q 

:  (seq  X  x  seq  X)—*seq  X 

V  s,  t :  seq  X  •  s~t  =  s  u  ((X  n  :  N  |  n  >  Us  •  n  -  Us)  g  t) 


SEQUENCE  CONSTRUCTION 

F  W  - - =====  =  -  ===== 

(_  cons  J  :  (X  x  seq  X)—>seq  X 
(_  snoc  J  :  ( seq  X  x  X)—>seq  X 

V  x :  X;  s  :  seq  X  •  x  cons  s  =  (x)~  s  a  s  snoc  x  =  s  “  (x) 


SEQUENCE  REVERSAL 

=  [X]  =^--= - =  . . z 

rev  :  seq  X— >seqX 

V  s  :  seq  X  •  rev  s  =  (X  n  :  1  ..  Ms  •  #s-n+l)  g  s 


FILTERING 

=  [*]-■  ■=■—=■  -  = 

(_\  J  :  (seq X  x  P X)—*seq X 

V  V:VX 
•0^=0 

a  (\f  x  :  X  •  (x  g  V=»  (r)f  V=  <*»  a  f*  «  V=»<x)fV  =  0>M 
A(Vj,r ; A" •  ('j'r)  f  V  =  (s  f  V)  ~  (t  f  V)) 


DISTRIBUTED  CONCATENATION 

=  [*]  =  ===  = 
7 ;  seq  (seq  X)—*seq  X 

-/  0 = 0 

V  j  :  seq  X»~l  (s)  =  s 

V  <7,  r ;  seq  (seq  X)  •  'l(q'r)  =  (7  <7)77  r) 
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DISJOINT,  PARTITION 

=  [I>X]  —  ===== 
disjoint :  I P(I  ■+>  IP  X) 
_partition_  :  (I  ■+>  IP  X)  <->  fP  X 


V S  ,7-HPXJ :PX 

•  (disjoint  S  &  (V  i,j :  dom  S  \  i  *  j  •  (S  i)  n  (S  j)  =  0)) 
a  (S  partition  T  O  disjoin *  S  a  U  (i :  dom  S  •  S  »}  =  T) 


Annex  C  -  The  Z  Syntax 

This  syntax  is  given  in  British  Standard  form  (BS  6154:1981)  [BS]  and  has  the 
following  features: 

1)  Denotations  of  the  terminal  symbols  are  enclosed  in  quotes. 

2)  [  and  ]  indicate  optional  symbols. 

3)  {  and  }  indicate  repetition,  that  is,  a  possibly  empty  sequence  of  symbols. 

4)  Each  rule  has  an  explicit  final  character  (a  semi-colon). 

5)  Brackets  group  items  together. 

6)  (*  and  *)  indicate  a  comment. 

7)  A  comma  is  the  concatenate  symbol,  an  equals  sign  the  defining  symbol  and  a 
vertical  line  the  alternate  symbol. 

Named  terminal  symbols 


id 

standard  identifier,  including  decora! 

document 

a  specification  module 

decor 

?, !, ',  or  subscript 

EZ 

end  of  Z  picture 

NL 

hard  new  line 

SI 

start  indentation 

El 

end  indentation 

finish 

end  of  file 

SR 

start  vertical  rule 

ER 

end  vertical  rule 

UD 

unique  (generic)  definition 

inset 

infixed  generic  sets 

preset 

prefixed  generic  sets 

postset 

postfixed  generic  sets 

op 

infix  operator 

encop 

lhs  of  enclosed  operator 

distinop 

lhs  of  distributed  infix  operator 

distpreop 

lhs  of  distributed  prefix  operator 

cop 

delimiter  of  two  part  operators 

preop 

prefix  operator 

postop 

postfix  operator 

sconst 

numbers  and  the  constants 

TH 

start  theorem 

ETH 

end  theorem 

SW 

where  phrase  delimiter 

where 

where  phrase  delimiter 

EW 

where  phrase  delimiter 

rel 

relational  operator 

explicit_set 

{  when  indicating  start  of  set  display 

pre 

pre-condition  schema  operator 

SB 

start  schema  box  (after  name) 
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t 


ST 

ESB 


middle  line  of  schema  box 
end  schema  box 


Rules 

z_text  =  [z_phrase],  finish 

|  z_phrase,  z_sep,  z_text; 

z_sep  =  list_sep  |  EZ; 


list_sep  =  |  NL; 


z_phrase  =  given_set_def 
|  definition 
|  constraint 
|  theorem 
|  import 
|  export; 

given_set_def  =  '[' ,  givenjds,  ']' ; 

given Jds  =  id,  { ,  id  }; 

definition  =  axiomatic_def 
|  syntactic_def 
|  datatype_def 
|  schema_def; 

constraint  =  pred; 

theorem  =  V ,  pred 

|  TH  ,  [gen_params],  [hyps],  V ,  pred  Jist,  ETH; 
hyps  =  hyp,  {list_sep,  hyp}; 
hyp  =  pred  |  dec  |  pred,  T ,  dec; 
import  =  doc,  {doc}; 
doc  =  document,  [  decor  ],  [instantiation]; 
export  =  id,  'keep',  idslist; 

ids  *  id  |  inset  |  preset  |  postset  |  op  |  rel  |  encop,  eop 
|  distinop ,  eop  |  distpreop ,  eop  |  preop  |  postop; 

idslist  =  ids,  { ,  ids  }; 
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reference  =  ( id  |  id ,  '$' ,  id  ),  [instantiation]; 

instantiation  =  y ,  inst_Iist,  y ; 

instjist  =  inst_term_list  |  binding_list  |  renamejist; 

(*  The  two  forms  of  instantiation  and  schema  renaming  are  all  treated  as 
instantiation  in  this  syntax:  the  various  possibilities  are  distinguished  semantically 

*) 


inst_term_list  =  term,  {  '/ ,  term  }; 

bindingjist  =  id,  '= ' ,  term,  {  ,  id,  '= ' ,  term  }; 

renamejist  =  id,  7\  id,  id,  7',  id  }; 

axiomatic_def  =  liberal_def 
|  unique_def 
|  generic_def; 


liberal_def  =  dec,  [  '|' ,  pred  ] 

|  SR,  def.body,  ER; 

def_body  =  dec  Jist,  [  ST ,  predjist  ]; 

unique_def  =  UD,  def_body,  ER; 

generic_def  =  decl_name,  gen_params, ,  term,  T ,  pred 
|  UD,  gen_params,  def_body,  ER  ; 

gen_params  =  '[' ,  given  Jds,  T ; 

dec  Jist  =  dec,  (list_sep,  dec); 

dec  =  decl_name,  {list_sep,  decl_name}, ,  term; 

(*  decl_n?me  has  options  to  indicate  the  syntactic  status  of  the  operator  being  defined  *) 


decl.name  =  id  |  id  , '  '  | ,  id  |  id  , ,  id 
I  T/J, id, 

|'_',id/y 
I  id, ,  id  , 

IV, id/  '.id; 


syntactic_def  =  syn_def Jd 

|  decl_name,  gen_params,  '=  =  ' ,  term 
I  UD,  gen.params,  syn_def_list,  ER; 
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syn_def_4d  =  decl_name,  '=  =  ' ,  term; 

syn_def_list  =  syn_def,  {list_sep,  syn_def}; 

syn_def  =  syn_def_id  |  syn_def_ids; 

(*  syn_def_ids  defines  prefix,  postfix  and  infix  generic  sets  *) 

syn_def_ids  =  id,  id,  '= =' ,  term 

|  id,  id,  id,  '==' ,  term; 

datatype_def  =  id,  ,  branch,  {  T ,  branch  }; 

branch  =  id  |  id, '«' ,  term, '»' ; 

schema_def  =  id,  [gen_params],  schema_definition; 

schema_definition  =  's',  schema_term  |  schema; 

schema  =  SB,  locaLdec_list,  [  ST,  predjist  ],  ESB; 

predjist  =  pred,  {list_sep,  pred}; 

local_dec_list  =  (dec  |  inclusion),  [list_sep,  local_dec_list]; 

inclusion  =  ( id  |  id,  ’$’ ,  id),  [instantiation]; 

(*  Only  schema  renaming  is  allowed  here  *) 

explicit_constr  =  tuple 

|  explicit_set, '}' 

|  explicit_set,  termlistl,  '}' 
j '(' ,  [termlistl], ')' ; 

termlistl  =  term,  {  ,  term  }; 

tuple  = '(' ,  term, ,  termlist2, ')' 

|  '0' ,  reference; 

termlist2  =  term,  {  ,  term  }; 

(*  aform  =  atomicformulae,  and  includes  predicates.  The  distinction  between  terms 
and  predicate  is  checked  semantically  *) 

aform  =  rZ.'  \  'Char'  |  sconst 
|  reference 
|  aform,  7 ,  id 
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| '(' ,  product, ')' 

|  explicit_constr 

| '{' ,  local_dec_list,  [  T .  pred  ],  [  ,  term  ], '}' 

I '(' ,  partials, ')' 

|  encop,  term,  eop 

|  SW,  ax_dec_list,  where,  pred_list,  EW 
|  SW,  syn_def_list,  where,  predjist,  EW 
ir.pred,  T; 

product  =  term,  V,  term,  {  'x\  term  }; 

ax_dec_Iist  =  local_dec_list,  T  .  pred 

|  SR,  decjist,  ST,  prcd_list,  ER; 

(*  partials  corresponds  to  various  forms  of  panial  application  *) 

partials  =  ,  rel, 

I  J  *  °P>  form2 
|  aform,  op, 

I  _  » op,  _ 

|  ,  distinop,  term,  eop 

|  aform,  distinop, ,  eop 
|  ,  distinop, ,  eop 

|  distpreop, ,  eop, 

|  distpreop,  term,  eop, 

|  distpreop, ,  eop,  form3 
|  encop, ,  eop 
|  preop, 

1  ,  postop; 

(*  The  following  syntax  rules  define  the  priority  of  the  various  operator  symbols.  The 
weakest  binding  is  the  infixed  generic  sets  such  as  — >  *) 

formula  =  forml,  {inset,  forml }; 

(*  infixed  operators  *) 

forml  =  [  forml,  op  ],  form2; 

(*  function  application  *) 

form2  =  [form2],  form3; 

(*  prefix  function  application  and  generic  sets  *) 

form3  =  preop,  form3 
|  preset,  form3 
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|  distpreop,  term,  eop,  form3 
|  TP',  form3 
|  form4; 

(*  postfix  function  application  and  generic  sets  *) 

form4  =  form4,  distinop,  term,  eop 
|  form4,  postop 
|  form4,  postset 
|  aform; 

comprehension  =  'X ,  local_dec_list,  lambda_set 
|  'n' ,  local_dec_list,  lambda_set; 

lambda_set  =  [  T ,  pred  term; 

term  =  comprehension  |  formula; 

apred  =  SI ,  predjist,  El  |  term; 

rel_exp  =  term,  'e  ',  term 

|  term,  '=',  term,  [tail] 

|  term,  rel,  term,  [tail] 

|  apred; 

tail  =  rel,  term,  [tail] 

|  '=',  term,  [tail]; 

(*  priority  of  connectives:  *) 

log_exp  =  log_expl  |  log_exp,  'O',  log_expl; 

log_expl  =  log_exp2  |  log_expl,  'O',  log_exp2; 

log_exp2  =  log_exp3  |  log_exp2,  'v',  log_exp3; 

log_exp3  =  log_exp4  |  log_exp3,  'a',  log_exp4; 

log_exp4  =  rel_exp; 

quant_exp  =  quant,  decjist,  [  T,  pred  ],  pred; 

quant  =  '3','31','V'; 

pred  =  quant_exp  |  log_exp; 

schema_term  =  quant_sexp  |  log_sexp; 
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quant_sexp  =  quant,  decjist,  schema_term; 

log_sexp  =  log_sexpl  |  log_sexp,  '<=>',  log_sexpl; 

log_sexpl  =  log_sexp2  |  log_sexp2,  '=>',  log_scxpl; 

log_sexp2  =  log_sexp3  |  log_sexp2,  V,  log_sexp3; 

log_sexp3  =  log_sexp4  |  log_sexp3,  V,  log_sexp4; 

log_sexp4  =  spec_sexp  |  log_sexp4; 

spec_sexp  =  spec_sexp,  7', '(' ,  id_list,  0' 

|  spec_sexp,  7',  reference 
|  spec_sexp,  'op',  spec_sexpl 
|  spec_sexp, '»',  spec_sexpl 
|  spec_sexpl; 

idjist  =  id,  {',',  id}; 

spec_sexpl  =  [  'pre'  ],  spec_sexp2; 

rename  =  '[' ,  renamejist, ']'  |  decor; 

spec_sexp2  =  ,  schema_term, '}',  [rename] 

1  reference 
|  schema; 


Reference 


[BS]  "Method  of  defining  syntactic  metalanguage",  British  Standards  Institution,  BS 
6154:1981 
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